DHCP over bridge VLAN

Florius · Sun May 13, 2018 5:12 pm

Hi,

I try to get 2 separate VLAN's working on my Ubiquiti AP. See picture below for a view:

I got VLAN10 working properly now. Now I want VLAN20. I currently got VLAN10 assigned to my 'bridge-vlan10'.
However I think this needs to be assigned to VLAN10. (https://wiki.mikrotik.com/wiki/Manual:C ... HCP-Server).
But when I try to I get can't connect to slave device. Which I can imagine ofcourse. But what should I change to make it work?

See below for my current configuration:

[admin@Home] > export
# may/13/2018 16:11:52 by RouterOS 6.42.1
# software id = I4Y1-BJFW
#
# model = 2011UiAS
# serial number = 724F0663B576
/interface bridge
add admin-mac=6C:3B:6B:3A:23:E8 auto-mac=no comment=defconf name=bridge
add fast-forward=no name=bridge-vlan10 protocol-mode=none
add fast-forward=no name=bridge-vlan20
/interface vlan
add interface=ether3 name=VLAN10-intern vlan-id=10
add interface=ether10 name=VLAN20-public vlan-id=20
/interface ethernet switch port
set 3 default-vlan-id=0 vlan-mode=fallback
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=pool-intern ranges=192.168.1.2-192.168.1.200
add name=pool-public ranges=192.168.2.2-192.168.2.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=pool-intern disabled=no interface=bridge-vlan10 name=dhcp-intern
add address-pool=pool-public disabled=no interface=bridge-vlan20 name=dhcp-public
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge-vlan10 comment=defconf hw=no interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge-vlan10 interface=VLAN10-intern
add bridge=bridge-vlan10 interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface ethernet switch vlan
add disabled=yes ports=ether3 switch=switch1 vlan-id=10
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
add address=192.168.1.1/24 interface=VLAN10-intern network=192.168.1.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.1.6 client-id=1:d8:cb:8a:81:f3:16 mac-address=D8:CB:8A:81:F3:16 server=dhcp-intern
add address=192.168.1.2 client-id=1:fc:ec:da:13:ba:53 mac-address=FC:EC:DA:13:BA:53 server=dhcp-intern
/ip dhcp-server network
add address=192.168.1.0/24 comment=networks-intern dns-server=1.1.1.1,1.0.0.1 gateway=192.168.1.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="Allow intern" src-address=192.168.88.0/24
add action=accept chain=input src-address=192.168.178.0/24
add action=accept chain=input src-address=192.168.1.0/24
add action=accept chain=input src-address=192.168.2.0/24
add action=drop chain=input comment="Drop else" disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name=Home
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Samot · Sun May 13, 2018 5:56 pm

For 6.41.x or higher the way you do this has changed. However, looking at this why do you need two VLANs? It looks like one subnet is on ether3 and the other is on ether10. Are you going to be using the two subnets on the same Ethernet interfaces? Or will these subnets be isolated to each interface?

If you are only going to be using 192.168.88.1/24 on ether3 and 192.168.88.2/24 on ether10 then they each need to be their own interface and not part of the same bridge. If they are the only interfaces using these subnets (meaning 2 and 4-9 are open for other things) then you don't even need a bridge for them. Just assign the subnet's to each interface and make a DHCP server for each interface.

Otherwise, if multiple interfaces are going to share those subnets can you share that? You'll want to check out https://wiki.mikrotik.com/wiki/Manual:I ... _Filtering to see how the new Bridge VLANs are handled in 6.41.x and higher. If you still need some help after that, post what changes you made and the issues you are still having along with another export of your config and I can see what needs to be corrected (if anything).

Florius · Sun May 13, 2018 6:25 pm

Hi Samot. Thanks a lot for your advice.

The idea is to have an internal VLAN for my PC and internal WiFi via my AP.
Then I need a second public VLAN for my wired printer and public AP WiFi.

I indeed noticed it has changed in 6.41.X, I'm currently running 6.42.1.

EDIT:

I have no clue what ingress and engress means... I have no clue if I should give VLAN10 as PVID everywhere or something.
The idea is to have VLAN10 untagged, and VLAN20 tagged on the AP.

I would be very thankful if you would mind helping me out. My current configuration:

[admin@Home] > export
# may/13/2018 17:36:14 by RouterOS 6.42.1
# software id = I4Y1-BJFW
#
# model = 2011UiAS
# serial number = 724F0663B576
/interface bridge
add admin-mac=6C:3B:6B:3A:23:E8 auto-mac=no comment=defconf name=bridge
add fast-forward=no name=bridge-trunk protocol-mode=none pvid=10 vlan-filtering=yes
add disabled=yes fast-forward=no name=bridge-vlan10 protocol-mode=none
add disabled=yes fast-forward=no name=bridge-vlan20 protocol-mode=none
/interface ethernet
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=bridge-trunk name=VLAN10-intern vlan-id=10
add interface=bridge-trunk name=VLAN20-public vlan-id=20
/interface ethernet switch port
set 3 default-vlan-id=0 vlan-mode=fallback
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=pool-intern ranges=192.168.1.2-192.168.1.200
add name=pool-public ranges=192.168.2.2-192.168.2.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=pool-intern interface=VLAN10-intern name=dhcp-intern
add address-pool=pool-public interface=VLAN20-public name=dhcp-public
add address-pool=pool-intern disabled=no interface=VLAN10-intern name=dhcp-public1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge-trunk comment=defconf frame-types=admit-only-untagged-and-priority-tagged hw=no \
    ingress-filtering=yes interface=ether3 pvid=10
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge-trunk interface=VLAN10-intern pvid=10
add bridge=bridge-trunk interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge-trunk tagged=VLAN20-public vlan-ids=10,20
/interface ethernet switch vlan
add disabled=yes ports=ether3 switch=switch1 vlan-id=10
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
add address=192.168.1.1/24 interface=VLAN10-intern network=192.168.1.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.1.2 client-id=1:fc:ec:da:13:ba:53 mac-address=FC:EC:DA:13:BA:53 server=dhcp-intern
/ip dhcp-server network
add address=192.168.1.0/24 comment=networks-intern dns-server=1.1.1.1,1.0.0.1 gateway=192.168.1.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="Allow intern" src-address=192.168.88.0/24
add action=accept chain=input src-address=192.168.178.0/24
add action=accept chain=input src-address=192.168.1.0/24
add action=accept chain=input src-address=192.168.2.0/24
add action=drop chain=input comment="Drop else" disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name=Home
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Samot · Sun May 13, 2018 7:00 pm

OK, so do you want to have Ether2-Ether10 on the same bridge so that no matter what plugs into the Ether ports can be on either of those VLANs? Or is Ether3 (or 10) going to have a switch that will have the devices connected there? Or will X amount of ports be for one subnet and X for the other?

I'm just trying to figure out if you need VLANs or just need to setup X amount of ports in one bridge and X in another for each subnet.

RoadkillX · Sun May 13, 2018 7:10 pm

check.png

is the above what you're trying to do? i don't understand your diagram and config is a weird mix of bridge vlans&switch chip vlans&vlans interfaces inside bridges...

Florius · Sun May 13, 2018 7:35 pm

Hi,

The uplink from the RB2011 comes untagged on ETH1.

ETH3 will be untagged vlan10 to my PC.
ETH10 (PoE) will be untagged vlan10, and tagged vlan20.
Eth2 will be untagged vlan20.
Eth 4-9 will remain free for now.

May I ask with which program did you make the diagram?

RoadkillX · Sun May 13, 2018 8:51 pm

May I ask with which program did you make the diagram?

i used https://www.draw.io/

This explanation gives a much better perspective, one doubt, which is your vlan10 tagged interface? this will be where your l3 vlan interface needs to be in order to have intervlan routing. i'am asuming eth10 is connected to ubqt device, why untagged10 and tagged20 on eth10? i think if ubnt can tag both vlans then it should in order to take off load from RB2011.

Florius · Mon May 14, 2018 10:12 pm

I honestly assumed it wasn't possible. But it seems it is! So then I can do both 10 and 20 tagged to the AP.
You lost me at the intervlan routing part..

CZFan · Tue May 15, 2018 1:27 am

RB2011 has 2 switch chips, 8327 for ports 1-5 +SFP and 8227 for ports 6-10.

Ports 6-10 does not support hybrid vlan, i.e. Tagged and untagged. If you want hybrid VLAN ports, you must use ports 1-5 or SFP

RoadkillX · Tue May 15, 2018 12:15 pm

You'd have to do is, on the ubqt device tag the vlans i really can't help there, i don't have a clue on ubqt, once that's done you'll receive tagged frames for both vlans on your mikrotik all to do is in brige vlan add

pseudo:
/interface bridge vlan
vlan10 tagged=eth10-ubqt,brigde-trunk untagged=ether3-pc,etherX-NAS (from diagram)
vlan20 tagged=eth10-ubqt.bridge-trunk untagged=ether2-printer

Test and see if it works, this could be done on the switch chip like @CZFan said above, but i really don't understand RB switch chip if it were a CRS1xx/2xx i could help.

CZFan · Tue May 15, 2018 3:35 pm

@Florius,

Firstly, based on the config export, you are using a RB2011, so you should not be using the config as per below as that is for totally different hardware architecture:

https://wiki.mikrotik.com/wiki/Manual:C ... HCP-Server

The one you should be using is:

https://wiki.mikrotik.com/wiki/Manual:S ... p_Features

Look into above, and if you have questions, come back here and I will assist

RoadkillX · Tue May 15, 2018 4:15 pm

The one you should be using is:
https://wiki.mikrotik.com/wiki/Manual:S ... p_Features

That's the one i can't seem to understand its way easier in CRS1xx/2xx

Samot · Tue May 15, 2018 4:43 pm

I'll admit, I'm still a bit confused by this. Especially since I just looked at the op's config and no where in there does he have 192.168.2.0/24 assigned to any interface, more importantly it's not assigned to the VLAN20 interface. Having a IP Pool for 192.168.2.1-192.168.2.255 is pointless if that subnet isn't assigned to the router/interfaces at all.

Why is this subnet not setup properly or assigned to the VLAN20 interface?

RoadkillX · Tue May 15, 2018 5:00 pm

You're right just add a dhcp-server on vlan20. else even if vlans are correct you won't get dhcp lease.

Florius · Tue May 15, 2018 9:19 pm

Hi,

I didn't add VLAN20 yet as VLAN10 wasn't even working. I wanted VLAN10 working first, which wasn't anything unusual but it didn't work.
I did as @CZFan suggested, but now DHCP doesn't even work...

[admin@Home] > export
# may/15/2018 04:40:11 by RouterOS 6.42.1
# software id = I4Y1-BJFW
#
# model = 2011UiAS
# serial number = 724F0663B576
/interface bridge
add admin-mac=6C:3B:6B:3A:23:E8 auto-mac=no comment=defconf name=bridge
add name=bridge-trunk protocol-mode=none
/interface ethernet switch port
set 3 default-vlan-id=10 vlan-mode=secure
set 4 default-vlan-id=10 vlan-mode=secure
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=pool-intern ranges=192.168.1.10-192.168.1.200
/ip dhcp-server
add address-pool=dhcp interface=bridge-trunk name=defconf
add address-pool=pool-intern disabled=no interface=bridge-trunk name=\
    dhcp-intern
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge-trunk interface=ether3
add bridge=bridge-trunk interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface ethernet switch vlan
add independent-learning=yes ports=ether3,ether4 switch=switch1 vlan-id=10
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
    192.168.88.0
add address=192.168.1.1/24 interface=bridge-trunk network=192.168.1.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.1.1 \
    netmask=24
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name=Home
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@Home] >

EDIT: Fixed if with some wonderful help of 2 guys on the IRC, I really owe you guys!! Thank you!!
Working config:

[admin@Home] > export
# may/15/2018 21:58:57 by RouterOS 6.42.1
# software id = I4Y1-BJFW
#
# model = 2011UiAS
# serial number = 724F0663B576
/interface bridge
add admin-mac=6C:3B:6B:3A:23:E8 auto-mac=no comment=defconf name=bridge
add name=bridge-trunk protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=bridge-trunk name=VLAN20 vlan-id=20
add interface=bridge-trunk name=vlan10 vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool-intern ranges=192.168.1.10-192.168.1.200
add name=pool-public ranges=192.168.2.10-192.168.2.200
/ip dhcp-server
add address-pool=pool-public disabled=no interface=VLAN20 name=dhcp-public
add address-pool=pool-intern disabled=no interface=bridge-trunk name=dhcp-intern
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge-trunk interface=ether3
add bridge=bridge-trunk interface=ether5
add bridge=bridge-trunk interface=vlan10
add bridge=bridge-trunk interface=VLAN20
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge-trunk tagged=bridge-trunk,ether5 vlan-ids=20
add bridge=bridge-trunk untagged=ether3,ether5,bridge-trunk vlan-ids=10
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.1.1/24 interface=bridge-trunk network=192.168.1.0
add address=192.168.2.1/24 interface=VLAN20 network=192.168.2.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.1.1 netmask=24
add address=192.168.2.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.2.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name=Home
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@Home] >

EDIT2, I wanted ether2 on VLAN20, had to set the following:

add bridge=bridge-trunk interface=ether2 pvid=20

DHCP over bridge VLAN [SOLVED]

DHCP over bridge VLAN

Re: DHCP over bridge VLAN

Re: DHCP over bridge VLAN

Re: DHCP over bridge VLAN

Re: DHCP over bridge VLAN

Re: DHCP over bridge VLAN

Re: DHCP over bridge VLAN

Re: DHCP over bridge VLAN

Re: DHCP over bridge VLAN

Re: DHCP over bridge VLAN

Re: DHCP over bridge VLAN

Re: DHCP over bridge VLAN

Re: DHCP over bridge VLAN

Re: DHCP over bridge VLAN

Re: DHCP over bridge VLAN [SOLVED]

Who is online